ICANN has been sent another letter by the Article 29 Data Protection Working Party. However it still isn’t on ICANN’s correspondence page – I found it on the Article 29 Data Protection Working Party’s site.
The letter, which was signed by all 28 members and represents the legal position of all 28 member states of the European Union, is diplomatic, but pretty clear.
Short version: We already told you what we think, why are you asking us to repeat it?
The letter revisits and underlines points that the group had raised in previous letters to ICANN:
The 2013 RAA approved by the ICANN Board on 27 June 2013 however does not contain any material changes which address the concerns described in our letter of 6 June 2013 and thus the Working Party is compelled to continue this discussion.
In other words, ICANN appears to be ignoring them.. not good for ICANN..
And while ICANN might be struggling with the concept of “jurisdiction” the Article 29 guys definitely don’t (emphasis added):
Each Registrar operating within the Member States of the European Union is subject to the European Data Protection Directive 95/46/EC6 and therefore each Waiver Request could be considered by ICANN as an identical request rather than process each individually.
The key bit of the Directive as it relates to all this is the text of Article 6(e) of the European Data Protection Directive 95/46/EC, which is all about retention periods:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected
ICANN wants registrars to retain the data for two years after the registration has lapsed, or the domain has moved to another registrar. That’s not compatible with the Directive.
While ICANN’s legal team might like to argue that a Directive will be implemented (or transposed) differently into each national law, that’s not entirely true, as Article 6(e) is a key tenet of the Directive.
Under Irish law, for example, the Directive is transposed under the Data Protection (Amendment) Act 2003, which updated the previous legislation from 1988. You can see the full text of the updated law here.
The wording in the Irish law is almost identical to that in the Directive:
Article 4 (e). preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored
And very similar wording was used in the French legislation OVH referenced in their recent request to ICANN for a waiver.
But ICANN’s understanding of who or what the Article 29 group is may have been part of the problem. So in this letter they’ve taken pains to clarify exactly who they are:
The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data is an independent advisory body on data protection, set up under Article 29 of the EU Data Protection Directive 95/46/EC. The Chair of the Working Party is elected by its members, representatives from each of the national data protection authorities of the EU Member States and the European Data Protection Supervisor. The Article 29 Working Party is competent to examine any question covering the application of the data protection Directives in order to contribute to the uniform application of the Directives. However, for the avoidance of doubt I can confirm that each of the Data Protection Commissioners in the 28 EU member states was either represented at the meeting of the Working Party on 4 December 2013 and independently endorsed the contents of this letter, confirming that it reflects the legal position in their member state or has been contacted following the meeting on 4 December 2013 and had so confirmed.
Will this latest letter make any difference?
Here’s the full letter
[spiderpowa-pdf src=”https://www.internetnews.me/wp-content/uploads/2014/01/20140108_letter_icann.pdf”]08/01/2014 Letter from the Article 29 Working Party to ICANN
- First European registrar to get Whois data opt-out (domainincite.com)
- It’s Time for Privacy Progress in ICANN (circleid.com)
- ICANN makes progress on data retention waivers for domain name registrars (domainnamewire.com)
Emily Taylor says
Hi Michele. Good catch. I also came across this letter by accident the other day on the Art 29 WG’s website while looking for something else.
It’s pretty unambiguous stuff, and clearly all registrars who operate within the data protection environment need some clarity about how to comply with their national laws (and as the Art 29 WG said – it’s our job to know this stuff, and this *is* the law in every member state).
Data Retention and the obligation to destroy under Data Protection are often difficult to reconcile. The RAA provision would seem particularly problematic for registrars based in Germany (I think there may be one or two 😉 ).The Commission took Germany to the ECJ in May 2012 for failure to implement the Directive. Germany adopted it in 2008, but the adoption was annulled by the German Constitutional Court in 2010 (1 Bv4 256/08, 1 BvR 263/08, 1 BvR 586/08). Same thing happened in Romania.
So, for registrars in those jurisdictions, they are not even going to have even the partial protection of data retention laws.